Skip to content

fix: pin 1 unpinned action(s)#2800

Merged
Snailclimb merged 1 commit intoSnailclimb:mainfrom
dagecko:runner-guard/fix-ci-security
Mar 26, 2026
Merged

fix: pin 1 unpinned action(s)#2800
Snailclimb merged 1 commit intoSnailclimb:mainfrom
dagecko:runner-guard/fix-ci-security

Conversation

@dagecko
Copy link
Contributor

@dagecko dagecko commented Mar 26, 2026

Fix: CI/CD Security Vulnerabilities in GitHub Actions

Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.

This PR applies automated fixes where possible and reports additional findings
for your review.

Fixes applied (in this PR)

Rule Severity File Description
RGS-007 high .github/workflows/test.yml Pinned 1 third-party action(s) to commit SHA

Advisory: additional findings (manual review recommended)

No additional findings beyond the fixes applied above.

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

  • Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
    run: blocks into env: mappings, preventing shell injection
  • SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
    (original version tag preserved as comment)
  • Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
    which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

@dagecko
fix: pin 1 unpinned action(s)
80566c5 
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
@Snailclimb Snailclimb merged commit f39d76d into Snailclimb:main Mar 26, 2026
@Snailclimb
Copy link
Owner

Snailclimb commented Mar 26, 2026

修复:GitHub Actions 中的 CI/CD 安全漏洞

您好!由Vigilant Cyber​​ Security 开发的开源 CI/CD 安全扫描器Runner Guard检测 到此存储库的 GitHub Actions 工作流中存在安全漏洞。

此 PR 尽可能应用了自动修复,并报告了其他发现 供您审核。

已应用修复(在此 PR 中)

规则 严重程度 文件 描述
RGS-007 高的 .github/workflows/test.yml 已将 1 个第三方操作固定到提交 SHA。

建议:补充发现(建议人工审核)

除了上述修复措施外,未发现其他问题。

为什么这很重要

使用不受信任的输入run:块、直接暴露 密钥或使用未锁定的第三方操作的 GitHub Actions 工作流容易受到代码注入、凭证窃取和供应链攻击。这些漏洞与tj-actions/changed-files 事件及其后续供应链攻击 中利用的漏洞 相同,导致 数千个代码库的 CI 密钥泄露。

如何验证

查看差异——每次更改都是机械性的,并且不会改变工作流程的行为:

  • 表达式提取(RGS-002/008/014):将${{ }}表达式从
    run:代码块移至env:映射中,防止 shell 注入
  • SHA 锁定(RGS-007):将第三方操作锁定到不可变的提交 SHA
    (原始版本标签保留为注释)
  • 调试环境移除(RGS-015):移除
    工作流日志中可能泄露密钥的根目录ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG

从仓库运行brew install Vigilant-LLC/tap/runner-guard && runner-guard scan .或安装以进行验证。

由Runner Guard发现| 由Vigilant Cyber​​ Security构建|了解更多

如果这个 PR 不受欢迎,请直接关闭——我们不会再发送新的 PR。

感谢!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dagecko @Snailclimb